67. The $10 Million Cybersecurity Mistake That Could Destroy Your Business Tomorrow
Justin Shelley (00:00.862)
Welcome everybody to episode 67 of unhacked. You know, we're here to help business owners navigate the chaos of cyber threats come out stronger, smarter, and more secure. And Mario today, I think we're going to help business owners navigate the chaos of life in general. you know, as you just said, we should have had the, the microphones rolling the whole time in our, our lead up prepping for this episode. But, I think the general consensus is life's just weird. any, any thoughts there? Okay.
Mario Zaki (00:27.946)
Yeah.
No, I completely agree. It's just something in the air lately has just been weird.
Justin Shelley (00:36.738)
Yeah, yep. That's that's my best word for it. In fact, the title of the episode, which I'm not going to say because it's a little crude is life's just weird. Anyways, let's let's roll Mario. Tell everybody who you are, what you do and who you do it for.
Mario Zaki (00:45.845)
you
Mario Zaki (00:53.397)
Well, Mario Zaki, CEO of Mastek IT, located in New Jersey. Been in business for 21 years now, helping small to medium sized businesses stay safe from those Russian hackers and from other places in the world. And we specialize in helping business owners sleep better at night, knowing that their business is safe and secure.
Justin Shelley (01:08.334)
You
Justin Shelley (01:16.61)
You know, congrats on what did you say? 21 years. That's right. Cause you're, legal to drink now or your company is. and I don't know the math. I should off the top of my head. started, originally the company was master computing back in 1997 and to just go with our theme of things are weird. Holy hell. Did I not predict my current state of affairs when I started that company, in my early twenties? I mean, I was, I was ripping out.
Mario Zaki (01:41.599)
the
Justin Shelley (01:43.764)
sound cards and modems, know, and putting them in and video cards. And then you turn it on and the monitor wouldn't work because the resolution was wrong and good luck fixing the resolution when you can't even see. mean, those were our problems back then.
Mario Zaki (01:51.573)
Hmm.
Mario Zaki (01:56.989)
Life was simple back then, be honest with you, Justin.
Justin Shelley (01:59.123)
Yeah, but I thought it was I thought it was crazy. And yeah, I'll take that. Give me that monitor again that won't turn on, you know. Anyway.
Mario Zaki (02:05.109)
I remember those days where you just go home or like when you're even if you're working from home when you're done like That computer that kicked my ass. I had to find this driver on like, you know Turrets or something like I got the you know find just find a way to get it working and it's like, know what that kicked my ass now now it's just like Now it's completely different the the stuff that makes us go home and drink
Justin Shelley (02:15.096)
Yeah.
Justin Shelley (02:27.767)
Yeah.
Mario Zaki (02:34.485)
You
Justin Shelley (02:34.798)
I didn't even have that advantage at the time. was very religious and our religion didn't allow us to drink. That's changed. But, we, we went through and we're way off track here. I haven't even done my introduction, but we went through this transition called plug and play. Do you remember PNP plug and play and everything was supposed to just work automatically. And it didn't, of course, it took probably about a decade to work that out. now largely things do just, just work. so we're fighting different battles, but God, the
Mario Zaki (02:50.589)
Yep, yep, yep.
Mario Zaki (02:55.241)
Never.
Justin Shelley (03:03.854)
battles we're fighting now. They're not just frustrating and draining. Like you just said, now they're kind of scary. Right? Like we're fighting crime rings. Now we're no longer fighting IRQ conflicts. We're fighting Russian hackers, as I like to say. And so with that, I'll introduce myself, Justin Shelley, CEO of Phoenix IT advisors. Like I said, used to be master computing. That was a long time ago, back in 1997. We started that today, instead of IRQs, sound cards and modems, we help businesses build wealth.
Mario Zaki (03:09.939)
Yeah. Yeah.
Justin Shelley (03:32.769)
using technology. And then we try to protect that wealth from these Russian hackers, the government fines and penalties and class action lawsuits. The game has changed and life is weird. So with that Mario, let's dig into today's episode. And guys, if you've been following us for long, you will notice that there's usually at least three and sometimes four of us today. It's just you and me, Mario. We've going to have to try to do this thing alone.
It's been a while since we've had not had a guest, so no guests today. We're going to dig in. and, and what I, well, I I'm currently in Nevada, right? And the state of Nevada is in deep shit. And that's, that's my tamed down version of the title. We, they got a case of what's assumed to be ransomware. I think they formally admitted that I have to be careful what I say because nothing's really public at this point.
Mario Zaki (04:03.925)
Yeah, yeah.
Justin Shelley (04:29.322)
Most of what we talk about is speculation because it's an active situation. This breach happened almost a month ago and most of their systems are still down. So Mario, I want your gut instinct reaction on that. If you've been hit with a ransomware attack statewide, a lot of stuff's down, not working at all. And we've made little to no progress on bringing things back up. What's your speculation? And I will say this is speculation.
Mario Zaki (04:40.628)
Really.
Mario Zaki (04:56.245)
Oh, 100 % spec, you know, me guessing is that it is some sort of hack ransomware type of situation.
Justin Shelley (05:01.699)
Yeah.
Justin Shelley (05:07.842)
The gravity. I'm asking about the gravity of the situation. If you haven't brought systems back up online in a month, what's that tell you?
Mario Zaki (05:14.933)
It's bad and I remember now this is a while ago. I remember when the city of Atlanta got, you know, breached and I think that, you know, if memory serves, I think it was three weeks, they weren't able to do anything. They weren't able to hold court cases. They weren't able to, you know, do parking tickets. They weren't able to.
provide people with like invoices to pay their water bills or tax bills. They literally had to break out the paper and pen and you know what? I hate to say it. Most people don't really know how to do that right now. You know, when you're telling them, well, you know, when you're calling in and you're calling somebody, first of all, you may not be able to even find their number because now everything is on the computer. But you know,
You're going to tell them, okay, well, what's your account number? People are going to look at, I don't, do I have an account number? I don't know what my account number is. You know, like everything is online now. And if there is no online, they, the entire city or state can't hold business. can't do anything that they're, you know, used to doing.
Justin Shelley (06:31.384)
I mean, I walked into a, like a sporting goods store the other day and there's a sign on the door that says, you know, no, no fishing licenses because of the cyber attack going on state of Nevada. know, so it's, yeah, it, it's crazy. Everything's down. I can't say everything because it's not truly everything, but the stuff that is down.
Mario Zaki (06:51.497)
But I'm sure like people that just turned 17 or whatever the year, they can't renew their licenses, they can't get new licenses, they can't probably register a car that they bought.
Justin Shelley (06:55.756)
Yeah, like DMVs and it's a mess.
Justin Shelley (07:03.629)
Yeah.
Justin Shelley (07:07.598)
Correct. Yeah. All that stuff's in, some of it is happening manually. So again, so we, don't know anything here, but we can talk about other cases that we do know about, and we can talk about stuff that we've personally experienced. let's contrast this with the, it was Marriott, wasn't it? You were there for that one, correct? Where they had just hit, been hit with a ransomware attack. And when we showed up to check in, this was, I believe
Mario Zaki (07:27.689)
Mm-hmm. Yep, yep, yep.
Justin Shelley (07:36.215)
It was less than a week. It was probably three, four, maybe five days post breach post attack. I know we're not supposed to say breach according to Robert Choffee. it was for a company who has, was completely down. They had not restored access to anything. Their response was phenomenal. Right. What, what, what's your take on that? Tell me your thoughts. were there, right?
Mario Zaki (07:58.667)
Mm-hmm.
It was actually very intriguing to watch because we sit here and we tell people have a plan B, know, have, you know, be prepared, do this. And these guys were spot on. It was very professional. Unlike at that time, you know, not too long prior to that was the MGM, you know, fiasco where lines were out the door and stuff like that. No, we...
Justin Shelley (08:12.515)
Right.
Justin Shelley (08:26.06)
Right.
Mario Zaki (08:30.826)
We went in there and until probably halfway through the check-in, because we're in the business, we may not have even realized that they actually were breached. They were able to still have some way to check us in. They weren't able to charge our credit card at the machine, but they're like, we're going to send you a text message, click on the link and do the payment through there. So that was okay, no problem.
You know, take out my phone. They weren't able to issue us room keys, but they're like, somebody's going to escort you to your floor. And then from the floor, have everybody on every, you know, we have an employee on every floor that will walk you to your room and let you in. I actually, part of me felt like, this is actually pretty cool. You know, when we get drunk later tonight, I don't have to worry about finding my room key. You know? Exactly.
Justin Shelley (09:22.112)
Yeah. Exactly. And they'll remember where our room is and what floor we're on. Which, which is way better than hitting all the buttons on the elevator and getting off on every floor and looking up. I was surprised. So I knew, I think we all were aware that they'd been breached before we went there. And we had heard stories because on day one, day two, things were, you know, they're still, they don't know what they're doing yet, right? They're just still trying to roll out their
Mario Zaki (09:31.926)
You
Justin Shelley (09:50.851)
their plans. And there was a lot of complaints that I'd heard online, about long lines and how tedious and painful the check-in process was. So I showed up fully prepared for this to be a disaster. And I think the check-in process actually took less time than it normally does. I mean, it was, I was shocked. I couldn't believe how fast I got through. And like you said, their payment processing, they had a backup plan in place for that. They had something else. And I don't know if this, I'm assuming this was all planned out ahead of time.
because man, they were on it. And, and so while I cannot speak intelligently or authoritatively on what's going on with the state of Nevada, I can tell you that a month later, almost a month later, they're a mess. I don't know of anything that's actually been restored. know that they have some workarounds, but it's ugly.
Mario Zaki (10:43.84)
But I actually just typed into Google state of Nevada and the first couple things were cyber attacks.
Justin Shelley (10:50.018)
Yeah. Yeah. Look, look at what's come back up since the, since they've been attacked. See if you can find anything there. Cause I can't, I can say walking around here, going into businesses, trying to deal with the government. There's, there's not much, there's not much help. so this is the reason I wanted to bring this up because this isn't the first time I brought it up on the show. And it's certainly not the first time, over and over. hear this when I'm trying to talk to business owners about security, they will point to cases like this.
Mario Zaki (10:57.002)
No.
Justin Shelley (11:19.746)
like the state of Nevada, you know, big government entity with seemingly unlimited resources. mean, because, I mean, listen, the government can just vote themselves more money. They do it all the time. with all of these resources, when they get breached this badly, it makes it seem hopeless for the rest of us. Right. Do you, do you ever, first of all, do you get that pushback from your prospects when you're out doing, okay. What's your answer to them?
Mario Zaki (11:45.289)
lot yes
Mario Zaki (11:49.239)
Our answer is, these big ones, they're targeted. There's a team that literally is going after them. For everybody else, it's the low hanging fruit. It will happen. It's like taking out your phone number and just keep dialing numbers. Eventually...
Justin Shelley (12:04.504)
Good point. Yep.
Mario Zaki (12:16.8)
they're going to find somebody that answers or eventually they're going to get somebody that falls for it. You know, so with them, it's a matter of sending out 10,000 emails, like a day they're going, they may not have a very high percentage, but they don't need a high percentage. It literally the machine, the system does all the work for them. You know, even if they're sending out 10,000 and they get two people to fall for it, that's probably
very minimum $5,000 each breach, know $10,000 to have the you know to pretty much upload a list of emails It's going to it's the low-hanging fruit, you know They may not be targeting your company directly trying to get into your firewall trying to get into your Computers your server or whatever. They may just feel like alright. Well, let's see if one of your employees clicks this link
And that's all it takes is clicking this link or entering a username and password.
Justin Shelley (13:14.616)
Right.
Justin Shelley (13:18.734)
Well, let me, let me add to that with poor cyber security practices. Right. So, so, and this is the way I used to say it when I, you know, I had a, I ran a circuit of live in-person seminars pre 90 or nine 11. Oh my God. How did they go there? Um, well, I guess, cause it just happened pre COVID. Um, I, and I would tell people that it, that you, fall into two buckets. You've either got.
Mario Zaki (13:24.638)
Exactly.
Justin Shelley (13:46.637)
The great big companies who have a target on your back. And if somebody wants in bad enough, they will get in. There is no a hundred percent secure. If somebody wants to breach, they can. then the other target, the other bucket of target, you know, where people fall into is what you're talking about the low hanging fruit. and if we're going to dig into that and let's do that, what makes somebody low hanging fruit? Because you've got the rest of the world, which is
Responsible businesses who don't have a huge target on their back. They're, they're doing the basic security measures. They're training people, their awareness is up there. You know, those guys are probably okay. Or they, and they have a good plan. have good insurance, right? They've got the bases covered, but it's the ones in the absolute target on your back. You're, you're done. governments, who else has been, let's talk about some of these big companies that have been breached.
that shouldn't have like the, FBI, CIA, you know, you, hear about that kind of stuff and that's where it really gets spooky government agencies, big companies. What was the one? And I'm, drawing a blank, the big, no, the big security company, cybersecurity company that was breached not long ago.
Mario Zaki (14:59.222)
Equifax.
Mario Zaki (15:06.102)
Well, last pass last pass was breached
Justin Shelley (15:13.0)
I hate it when I blank out while we're recording. Anyways.
Mario Zaki (15:15.42)
No before was breached. We'll think of it.
Justin Shelley (15:20.6)
Point is it happens to these companies where you just really don't expect it to. And that is scary. I'll admit like that, that troubles me. But like you said, for the rest of us, unless you just have to stay out of that low hanging fruit category. So let's talk about, no, go ahead. You have some.
Mario Zaki (15:37.73)
But yeah, but the thing is you got to keep in mind those big companies that are that do get hit they are being there they had literally have a I guess an evil, you know, SEAL Team, you know, six or whatever following, know, trying their full time job is to infiltrate that specific company. Right. So it's it may not take it mean they may not be able to do it in a day. They may take them.
months years to finally find that one little pinhole entry that actually gets them to go in. You know it's not like you know and sometimes it may be as simple as an email breach or in like MGM it may be as simple as somebody picking up the phone and calling their help desk pretending to be somebody else but that's not even that simple because these guys with that MGM
Justin Shelley (16:16.355)
right.
Mario Zaki (16:36.145)
They did their research. They found somebody on LinkedIn that they were targeting. It wasn't just a random phone call. They knew what they were doing. They pretended there was somebody. They knew who that person was. They had enough information to provide their IT people to let them reset their account and let them in.
Justin Shelley (17:01.4)
Yeah. So I, SolarWinds is the company I was thinking of that one, when that happened and that was, I believe that was 2020. just, yeah, that happened in 2020. So the whole world was in chaos or that's when all this chaos started. It's never gone away.
Mario Zaki (17:06.519)
Solar winds, yes, yes.
Mario Zaki (17:18.185)
And then obviously, know, Kaseya, Kaseya is a big one, you know, that got breached.
Justin Shelley (17:21.62)
Right. Well, here's the difference. And I probably shouldn't say this, but I'm going to. So what I will say is that SolarWinds is a company I did not expect to get breached. And that's different from the other company you mentioned.
Mario Zaki (17:33.751)
Mm.
Mario Zaki (17:37.147)
Don't be scared, Justin. Don't be scared. I know they're trying to take over the world of IT, but don't be scared. And we're not saying anything false. They did get breached. They won't deny it.
Justin Shelley (17:41.304)
Ha ha ha.
my God, they're going to sue me.
Justin Shelley (17:50.669)
Yeah, yeah. But I did not expect a company like SolarWinds to get breached. And, you know, where you're talking about, they spend a lot of, there's a lot of planning and strategy that goes into this. In that case, it was a supply chain attack, they didn't directly get into the company, they got into a company that sells to them or you know, that provides. So, and that's kind what I'm saying, if you've got a big enough target on your back, you're kind of in trouble. You have a good backup plan. Have a good
Mario Zaki (17:56.023)
Yeah.
Justin Shelley (18:20.662)
response plan, insurance attorneys, and that kind of thing. The rest of us who are, are small, smaller organizations, it just becomes critical to not be in the category of low hanging fruit. So let's, let's talk about what that means. in fact, you had a really good one before we started, you know, before we hit the record button. So step one, what, what do we need to do? Mario October is coming up. What does that mean for people?
Mario Zaki (18:48.215)
Well, we're exactly under a month away from Windows 10 being end of life. Now, before this, I actually looked up some numbers. So obviously, people should know what Windows 10 is or Windows 11. It's the operating system on a lot of computers. Worldwide, Windows 10 is still on 45 % of the computers out
In the United States, Windows 10 is a little better. It's a little under 38%. Now, come next month, Microsoft said, unless you pay us, we are no longer going to extend support for Windows 10. We're not updating any patches. We're not doing any vulnerability patching or updates or anything. So even if it's...
Justin Shelley (19:18.67)
Okay, good.
Mario Zaki (19:44.408)
out there, it's known that Windows 10 has a big vulnerability and it can be encrypt everything, they're gonna say, sorry, we're not fixing it. It's no longer being supported. That's a big deal because like I said, almost 40 % of the computers just in the United States are still on Windows 10. And this was as of August of 2025, which was last month.
Justin Shelley (20:09.666)
Right. Right. So a couple of things here. number one, this isn't a huge deal if you are willing to address it. But I will say if your computer's old, if it's three, four or five years old, please replace it. that said, there's a free upgrade from Microsoft. So it's not like, you know, and I don't know if you know this, I think I told you, but, you know, on our YouTube channel for unhacked, we were talking about this.
And some Yahoo gets on there and starts just flaming us over this idea that, you know, Microsoft a yes, they will support it. We don't know what we're talking about. They have to support it. They're legally obligated to support into continue doing security patches. And I went back and forth with this joker for, you know, till I got bored. But it, this is not a case of Microsoft refusing to support what they're doing is just saying, we're not going to keep doing windows 10.
Go to Windows 11, hit a button, right? It's a free upgrade if you have the equipment that will support it. So they're gonna continue to support. They're just saying, don't be stupid. Fair, right? I mean like.
Mario Zaki (21:20.257)
Yeah, very fair. And it's not just Microsoft that does this, by the way. know, like Apple does the same thing, know. Android does the same thing with their phones. Like you have to, there's gonna be a certain point where, you know, if you don't update or if your phone is too old, you know, you're not gonna get like, like you can't have like a 10 year old operating, you know, Apple iPhone.
and think that you're going to get the latest iOS, which is iOS 26, you're not going to get it. They just don't, they no longer support that hardware, no longer will support your old operating system. You're not going to get the updates anymore. Even if they know there's a vulnerability with it, they're just not going to do it. And it's also, you know, security companies, IT companies, you know, if we get a, if we get a new customer and they have,
Windows like seven or Windows XP computers. We're gonna tell them listen We can't do anything with this week. Our software is not gonna go on it We're not gonna be able to troubleshoot it because we can't we can't we don't have the tools to to keep it secure
Justin Shelley (22:35.702)
And here's something that, you know, cause I understand that most, most humans do not understand what goes into writing programs for computers. It is a very messy and very complicated process. There are millions and millions of lines of code that goes into an operating system and all the pieces that fit into it. So to continue to update something that, you know, at some point the core product
has been updated so many times that it itself starts falling apart. just, can't continue to update something past a certain point. It's just too messy. You've ended up rewriting or patching or fixing, or, know, it's like putting duct tape on something. That's not a great example, but if you think of trying to fix a car with duct tape over and over and over and over, you just have a big ball of duct tape. You don't have a car anymore. So at some point we've just got to like wipe the slate clean and start over.
Mario Zaki (23:11.2)
Exactly.
Justin Shelley (23:31.255)
I don't think Microsoft would love my analogy right now, but you know, there, need a visual to understand you have to stop using old stuff at some point. And, know, and before we hit record and like you said, we should have just recorded all of our planning for this episode. but it's, it's, we're in this weird time where, God, I'm just going to keep using the word weird. Everybody's got, you know, the economy is weird. Politics are weird. everything's just kind of weird.
Mario Zaki (23:35.212)
No, no, no, no,
Justin Shelley (24:00.648)
And there is this absolute resistance to, to upgrade to, know, I, I can tell you, I've got clients that I cannot get to upgrade their computers right now. They won't do it. and if they do, they're going out to Walmart and buying the cheapest shit they can find. It's like, fine. You can do that. At least we're not dealing with the vulnerabilities of windows 10, but now you're going to be dealing with a computer that breaks in three months and you're to have to go back and Walmart and tell them, yeah, good luck. Whatever.
Mario Zaki (24:29.432)
Good luck with that. Good luck with that. But that's the thing too. And what we tell our customers, you're more than welcome to go and get that. We will set you up. the second, obviously we're billing you for our time. The second that happens and you have to go and warranty it out, you have to do it. We're not doing it for you because it's not our product.
Justin Shelley (24:30.488)
Good luck. Just don't call me.
Mario Zaki (24:59.126)
All right. And then we're going to do our work again and bill you again. You know, I had, we had a customer, you know, not too long ago. They went and purchased, you know, a computer on their own and they asked us to come and set it up. Guess what? We turned it on and the computer just wouldn't go on. just, was a, you know, defective computer right out of the box. We billed them for the visit and then we had to bill them again once they got the new computer.
You know where if they got the computer from us, we're responsible. It's our responsibility. You know we are and then if there's something wrong, the warranty goes through us. We will take care of everything, but we can't sit there and call you know Dell for you. We can't you know like you know you have Dell you have my you know. Microsoft services we have Lenovo's we have so many different vendors that we can't.
You with you purchase from us, we have our own reps. We have our own back door to support, to get things done faster for you, replace for you faster. There's times where I'm like, all right, you know what? We're going to give you one from our own stock because that's a computer you bought from us. What, you know, you don't want to wait for, for replacement. No problem. We'll, we'll give you one of ours and we'll, we'll deal with the replacement. That's, know, that's what you get when you don't buy shit from Best Buy or Walmart or Target or whatever, you know?
Justin Shelley (26:20.59)
Right? Yeah. I mean, listen, if we're being honest, if, if, if our clients don't pay us, we aren't really motivated to help them out. I've just been, listen, we're not a charity. I'm sorry. I do have a place in my heart for my client. I love my clients. I love business and I want to help, but I got to pay my bills too. So, you know, if you're, if you're going to cut.
Mario Zaki (26:40.387)
Same here.
Mario Zaki (26:45.081)
And it's not like we're buying the same piece of craft computer and selling. We're buying high-end stuff, selling them high-end stuff. We're probably marking it up 10 % and then selling it. That 10%, that pays our employees, that pays our rent, that pays our storage that we have. some people don't want to pay more than what it's cost. But I'm like, OK.
Justin Shelley (26:49.624)
Correct, right, right.
Mario Zaki (27:15.321)
then if you want that, go ahead, here's the computer, order it, wait two weeks, three weeks to get it, or you can pay 10 % and we can have it installed for you today. But that rent that I'm paying to hold that computer is not free, the electricity, all that stuff. But anyway, we're out of tangent.
Justin Shelley (27:30.551)
Right. I know we're we're on a tangent, but I'm to go a little bit farther with the tangent, then we'll we'll bring this back. I actually built a page on my website where I did the math and I can prove to you that buying a better computer through me will save you money over time. It will actually be cheaper. You spend a little bit more upfront, long term, the the it's significantly more cost effective to do it.
Mario Zaki (27:38.35)
Ha
Justin Shelley (27:58.633)
And, you know, go to phoenixitadvisors.com slash PC dash ROI. I built a little page explaining the math. So, but we're, know, we're, here talking about security and while a cheap computer isn't directly going to, mean you're more likely to get breach when you have this mindset of cutting every corner all the time and doing the cheapest thing you can possibly do. You mean you get what you pay for, right? So
Mario Zaki (28:27.641)
Thanks.
Justin Shelley (28:27.906)
where, you know, where we started this conversation off by talking about entities, governments in particular, who have seemingly endless resources. And I know that they have limits, they have budgets, but they can do better. And one of the things that the advantages that we have as small businesses is that we can do this. We can make these decisions on our own. We don't have to go to a committee to get a budget. We just have to make smart decisions. and the,
case of computers, if you're going to run an outdated computer because you know, haven't bought one for five years. So the windows 11 upgrade path doesn't work. you are putting yourself at risk. You don't have to do that. So when you get breached, you've only got yourself to blame. And I hate to say that, but like at some point we have to take responsibility for our actions. Being cheap is not smart. Always being frugal, you know, making money. That's smart. Let's talk about profit. Let's talk about ROI. Let's talk about being responsible with our money, but
Mario Zaki (29:09.132)
Exactly.
Justin Shelley (29:23.31)
cutting every corner is not the answer. and I'm, I'm, I'm off my soapbox. I'm going to take a breath and calm down here. What are some other basics Mario that as small businesses where we actually have an advantage over these larger institutions that seem to get breached? I mean, God, all the time.
Mario Zaki (29:43.866)
Yeah, mean, it's some of the smaller stuff, know, like there is, it's not gonna cost you, you know, as much to try to lock down, you know, your network, you know, it can be very basic stuff. And at the very top of that list is educating your employees. know, it's somewhere less than $5 a month, you know, that's on the high end, less than five.
Justin Shelley (30:12.162)
on the high end.
Mario Zaki (30:13.21)
a very high end, less than $5 a month, you know, per employee, you can have them enroll in cybersecurity training. You can have them get, you know, simulated phishing attacks, educate them, have them be able to tell the difference, or at the very minimum, if they're not sure, to be able to submit it, you know, to be analyzed by your IT people. For less than $5 a month, you could adopt.
adopt a small child from Africa. And we've had these conversations. People pay, they want the top employees, they pay well and stuff like that. What's an extra $5 a month to keep that employee educated? Or what did we break it down to one time?
We said like 90 cents, you're pretty much investing an extra 90 cents an hour in an employee for full managed support services, you know, everything.
Justin Shelley (31:21.122)
Yeah. To give the, the like, I'm not going to say the best of the best, but like above adequate, above average to give high quality IT support and high quality technology, the equipment, software and everything else. Yeah. When you, when you put it side by side with the wages, I mean, like, good Lord, this is like buying a Ferrari and putting used oil in the engine. I mean, why, why in the world would you take your most expensive and most valuable
asset that creates you the most wealth. These are your employees and then give them shit equipment to work on and, and, and no education. And like, not only are they your biggest asset, but they're also your biggest liability. If you're like you said, if you don't educate them, right. And if you, if you don't train them properly and then they become the, know, the, the one that clicks that link that they shouldn't, it's just crazy. This is, this is a crazy, use of money or a crazy place to cut costs.
Mario Zaki (31:58.222)
Thanks.
Mario Zaki (32:04.758)
And biggest expense
Mario Zaki (32:19.226)
Exactly, You know, and that's a great analogy. You're like, you're not going to go and get a brand new car or whatever and go fill it up with BS, you know, gas and stuff like that or cheap oil. You know, you're going to want to take care of it. You're going to want to prolong the life, make it last and perform at the best possible way you can perform.
Justin Shelley (32:44.334)
So I'm going to go ahead and I know I've used this example before, but I love it because it illustrates the things that to me are the most important where cybersecurity is concerned. And it's what we say over and over, get the basics taken care of. And, know, we can sit here and list all of them out, but we've done that over and over. I mean, for facts, like just go to AI right now and say, what are the basic cybersecurity measures I should put in my business? And you've got them. All right. So I'm not going to beat that dead horse, but putting the basics in place. Number one and number two is culture.
And, and I, I continue to beat up on the city of Fort Worth because they illustrated this better than any other example that I've come across. This is back in 2017. They lost around $500,000. So keep that number in mind. Because we're going to come back to the actual cost because of how they mishandled the situation. The problem was identified by a senior IT manager. He discovered significant cybersecurity deficiencies. And in his words,
They were non-compliance with industry and federal standards, right? This is not like high level, high end advanced. It was just the basics, the industry standards. They didn't have them in place. So this senior IT manager brings it to his higher ups and says, Hey, here's what I found. Here's how to fix it. And his higher ups told him in my words, not theirs, sit down and shut up. All right. Because you're causing problems because this will make us look bad. People will start asking us, well, why haven't you done it already? Well,
I don't know. And then they're going to say, where are going to get the money? Cause now we've got to go to committees and we've got to get budget for it. we've, know, so we're not going to do anything about it. So take your concerns and keep them to yourself and, and stand your lane, right? Like that's effectively what happened in this situation. the employee whose name I'm not going to put out there, but again, all of this is publicly available. He turned into a whistleblower. He made a fuss. He got fired.
because of the, he filed a wrongful termination suit. I think there were actually two or three employees total involved in this whole thing. In the end, they settled this and the city had to pay out $9.6 million just in how they handled the situation. That's so far above and beyond the 500,000. That was the original problem. They turned it into almost a $10 million problem because of their atrocious culture. So.
Justin Shelley (35:13.73)
This is like, in my mind, the root of the problem that we have with cybersecurity is we don't have the proper basics in place. And then we don't put a good culture around it in our organizations where we working as a team to fight the bad guys. We make ourselves the bad guys. It's, it's the weirdest situation, you know, and Mario, you and I have both probably run the same marketing campaign where it's, you know, when you get breached, are they going to call you stupid or just irresponsible?
I love that headline. And it's crazy because the victims of crime get turned in to the bad guys. Somehow we become the ones that get prosecuted and persecuted. It's nonsense. that good. and sued and sued. Yes. Yes.
Mario Zaki (35:43.542)
Exactly. Yeah.
Mario Zaki (35:55.414)
Institute
And sued remember and you know, we talk about it now. Do you remember Joseph Brunsman when he the daddy's getting in a new boat conversation story that still one of my favorite moments, you know it it in that example with you know it You're not just gonna get sued, know, like people get breached, you know But you're not gonna get sued if you're doing the right thing and you can prove that you're
Justin Shelley (36:08.172)
Hey, yes, I remember that. I love that story.
Mario Zaki (36:27.053)
Not, you don't necessarily have to go from, you know, in one day, go all sudden, implement everything under the sun, but you're showing a progress. You're showing that, okay, we're, we're replacing computers. We have them patch. We are doing this. We're doing this, you know, in the event something happens, which happens, you know, like you're covered. You're not going to get sued because you're working towards getting the right thing in that example. In that situation, they would get sued because they weren't doing it.
If there is a trail showing that, hey, your IT company or your IT person, in-house IT person brought this to your attention and you told them to go F off, well, guess what? That's negligence.
Justin Shelley (37:10.656)
Absolutely. Yeah. And yeah, I love that you brought that up because that has just become I mean, it's it's my whole outlook on this problem right now. You don't have to do everything you can't do everything into if we just take the Windows 10 idea. Like if you can't afford if it's a legitimate problem in your company, you do not have the money to upgrade all your computers before the deadline next month. Right? That's fine. So write it down.
We have X number of computers running windows 10. We have this budget. We're going to roll it out. It's going to take us a year. And I got, please don't use this example because it's terrible, but worst case, am putting out a worst case scenario and let's just say you can't do it. Make a plan. We're going to, we've got 10 PCs that are out of date and we're going to replace one a month. And you know, we got started late because of budgetary constraints and we hope it improves whatever, right? But just have a plan and then start executing the plan.
Mario Zaki (37:47.771)
You
Justin Shelley (38:07.148)
because worst case, if you get breached, that's bad enough, but at least then you can show a court. Should it come to that? Like, Hey, we did know about this. We were taking steps to resolve it. And while we had this known vulnerability, we were doing extra, work in, around our culture and around, employee education and awareness. And, know, we held special meetings. I don't click this or whatever, but you know, it's just showing that you are doing something about it because
What does not work in preventing breaches and preventing lawsuits is ignorance. That's not going to help you at all. I didn't know. I wasn't aware. Well, too bad.
Mario Zaki (38:49.083)
It works nowhere, you know, like you even when you commit a crime, you can't plead that, know, like it just doesn't work, you know, you will get sued you and you know, forget about suing it's just also it's the heading that comes along with it, you know, if you're in a certain practice, you have to call the FBI, you know, your company may not survive. I mean, you know, we we've talked to people that are have, you know,
Justin Shelley (38:53.463)
Right.
Justin Shelley (39:06.976)
yeah.
Justin Shelley (39:11.394)
Mm-hmm.
Mario Zaki (39:18.779)
The company was handed from generation to generation and you're the asshole that brought it up under. It's stuff that you have to keep in mind. IT is not going to be your biggest expense. It really isn't. You need it. You need IT to run your business. Even like delis and stuff like that. Stuff for the companies that have just one
Justin Shelley (39:25.068)
Yeah, yeah.
Mario Zaki (39:48.347)
throughout the whole company. know, they still need it. You know, landscapers, they'll have like 50 employees but one computer. They still need that computer, you know.
Justin Shelley (39:57.913)
Well, and they need the culture, the training, the awareness. And again, I think this was before we hit record our mistake. You brought up how a lot of these scams and hacks these days are, you know, the, they're always after money in the end. They're after money. You don't necessarily have to get a computer breached in order for somebody to take your money. Right? Like you had mentioned the new scams are, are what text message and you know, what else did you talk about?
Mario Zaki (40:20.304)
Exactly.
Mario Zaki (40:26.114)
in the text messages emails I mean they're they actually sometimes will send they'll send letters you know they'll send letters in the mail saying you know open invoice or you know the guy how many times will you see like that scam of like your domain is gonna be expired you know and you know pay this you know to to pay you know to do this or whatever and then on the bottom on very fine print this is not an actual bill you know
Justin Shelley (40:34.85)
Yeah.
Justin Shelley (40:45.765)
my god, yeah, yeah.
Justin Shelley (40:54.606)
Right, yep, those are the best.
Mario Zaki (40:56.312)
you know, it's, it's all over and, and, you know, I've had people constantly will forward me an email, take a picture, do whatever, and send me this like, Hey, I got this. What do you, should I do? Should I pay it? I'm like, no, absolutely not. This has, you don't need to pay this. This is a scam. Sure. You know, get rid of it. You know, it's, educating people being there. You know, sometimes you just need that company or that
person that you can just bounce ideas on. Like, got this in the mail, I got this email, you know, whatever, what should I do? You it's, you know, you just need that person, you need the education, you need, it's all, it's all about knowledge.
very minimal.
Justin Shelley (41:42.317)
Yeah. Yeah. Ignorance is not going to help us. Well, listen, Mario, I think, I think I've ranted about as much as I can for the day. I need one of those, beers or whiskies or whatever you said you, mentioned earlier. so let's go ahead and, and move towards wrapping this up as we like to do. What would be your key takeaway? If somebody just listened to this part of the podcast, Mario, what should they learn today?
Mario Zaki (41:54.854)
the
Mario Zaki (42:10.108)
The key part is to do something. No matter what it is, do something. It could be as simple as pushing a button to upgrade your system or to just go out there and just learn or teach your employees what to look for. Okay. If you see something, say something, you know, if you have some doubts, bounce it up, you know, towards bounce it against your IT people.
Send it to them, forward it to them, you know? Find out if it's legit or not. know, don't just stay stagnant.
Justin Shelley (42:47.778)
Yeah, I love it. I mean, do something. And I will just say again, like if, this isn't your cup of tea and you don't know what you're doing and, and listen, let's just say you don't have the budget to hire somebody. I don't even like to that out loud because this is not a DIY program. This is doing cybersecurity is not something you should do yourself. It's like, don't do brain surgery on yourself either. but if you've got nothing else going on for you, pull up chat GPT and say, what's one thing I can do to make my business more secure today? Right.
I mean, also you could listen to our podcast. can, know, there's, so many resources out there, but yes, do something, get those basic security measures in place. Do that first. And then, I will continue to beat this drum of the culture in your organization. We have to reward good behavior and we have to punish bad behavior where this is concerned. because we as humans are the weakest link in the, in this situation. So, that's what I've got Mario as always. I appreciate you being here.
the loyal faithful Mario who is here week after week unless he's sitting on a beach in Egypt. You bastard. And you did not invite me. So guys, thank you for tuning in. We will be here next week with more advice and tips to keep you and your business safe. That's what we've got for this week. Mario, thanks again. We'll see you guys.
Mario Zaki (43:50.192)
Mm-hmm.
Yes.
Mario Zaki (44:06.204)
Thank you, bye guys.
Creators and Guests
